Time Zone of Guccifer 2 cf.7z

In a recent post, I observed that the majority of the emails in the Wikileaks DNC archive were sent AFTER Crowdstrike installed their anti-Russian software on May 6. In today’s post, I’ll look at a metadata issue concerning Guccifer 2, who was, with “high confidence”, attributed by the US intel community to be Russian, supposedly working under the personal direction of Putin. I’m going to look closely at document metadata in the two 7z dossiers published by Guccifer 2 in fall 2016. Neither of the two dossiers contained any documents of any relevance to the 2016 election.

Earlier this year, Forensicator observed that the ngpvan.7z dossier showed evidence of several copying and collating operations, including a copying operation in which the modification date-times of all documents were set to a 14 minute window on July 5, 2016. From analysis of the metadata, Forensicator plausibly argued that the copy-to computer was set to Eastern time zone. Forensicator didn’t comment on the other Guccifer 2 dossier (cf.7z).

I’ve closely examined both dossiers and noticed that the time zone of the cf.7z copy-to computer appears to be one hour earlier than the time zone of the copy-to computer analysed by Forensicator i.e. Atlantic Canada time. I am much less knowledgeable than Forensicator and similar analysts in such details and am unable to present a solution.

Forensicator’s Analysis of ngpvan.7z Time Zones

The top directory of Guccifer 2’s ngpvan.7z dossier contained 13 .rar folders, 4 .zip folders and 5 documents (pdf,png). All .rar folders had modification dates of Sept 1, 2016 – a few days before announcement of the dossier on Sept 4, 2016 (^). All .zip files, documents in the top directory and documents in the .rar folders had modification dates of July 5, 2016. Forensicator, working in Pacific time zone, noticed that there was a 3 hour time difference between modification times displayed for documents within the .rar files and located in the top directory (as shown in the figure below). Forensicator explained (here) this difference as due to the following: 7z stored documents in UTC while the .rar files, constructed using WinRAR4 were in local relative time, from which he deduced that the copy-to computer of the July 5 copy operation was in Eastern time zone.

His explanation is terse. To fully understand his point in operational terms, I adjusted my computer to UTC and took equivalent observations. A file outside the RAR folders (e.g. sf3.pdf), which was displayed as 15:46 Pacific, is displayed as 22:46 UTC, reflecting the 7 hour time difference. However, a files within the RAR folders (e.g. DonorsByMM.xlsx), which was displayed as 18:51 Pacific, is now displayed as 18:51 UTC. In other words, 7z doesn’t know the correct timezone of the RAR documents and incorrectly assumes they come from the timezone of the current user. The timezones only match using Eastern Daylight -0400.

Forensicator’s point is unequivocally correct. I would prefer that he not have said “we need to adjust the .7z file times to reflect Eastern Time”. Having spent time trying to parse through this, I would have said that “we need to adjust the RAR file times”, since it is the RAR timezone that 7z gets wrong, but that doesn’t impact the correctness, importance or originality of his observations.

July 5, 2016 Copying in cf.7z

Guccifer 2’s other 7z dossier (cf.7z) was released on October 4, 2016 in a blogpost promising (but not delivering) salacious details of the Clinton Foundation. Like the previous dossier, the documents in cf.7z are mundane administration details of the Democratic Party of Virginia (DPVA) – not even the DNC. Whereas the documents of ngpvan.7z were all extremely stale (most recent documents from 2011), cf.7z consists of documents from 2013-2016. Its most recent document is from June 1-2, 2016, but documents originating after April 2016 are very sparse.

Three directories contain documents with modification dates of July 5, 2016. From the time gaps in the ngpvan.7z dossier, Forensicator had postulated that a much larger copying operation had taken place on July 5. The cf.7z documents with modification dates of July 5 seem to originate from this larger copy operation – but display as exactly one hour earlier, indicating a difference in time zone display rather than a different origin. The earliest time in the ngpvan.7z dossier was 18:39; the documents in the cf.7z/OFA directory (152.6 MB) have modification times between 17:34 and 17:38, immediately preceding allowing for the postulated one hour time zone difference:

The cf.7z/Donor Research and Prospecting contains documents with modification dates ranging from March 2015 to July 5, 2016 (plus one 2011 outlier). Some documents were copied in what Forensicator called the “Windows” style, while others, including the most recent batches (dated May 23, June 6 and July 5), were copied in what Forensicator called the “Unix” style that was used in the July 5 copy step of ngpvan.7z. The July 5 tranche has modification times between 17:39 and 17:52, which again fit, allowing for the proposed one hour time zone difference. (Displayed time for computer set to Atlantic Canada time match perfectly.)

Documents in a third directory (the very small cf.7z/emails directory) also match, allowing for the proposed one-hour time zone difference.

DonorsByMM.xlsx

It turns out that two documents in the cf.7z/Donor Research and Prospecting directory (DonorsBy MM.xls and DonorsByMM_2.xls) were also uploaded to the ngpvan.7z/DonorAnalysis directory where the postulated one hour time zone difference can be demonstated to one second accuracy. More detailed properties can be obtained by right-clicking on the files, with results for each shown below. To the nearest second, the respective copy times are shown as 17:52:00 and 18:51:59, one hour apart to the second.

There are differences in technique in the preparation of the two dossiers. Times in the cf.7z dossier appear to be rounded to the nearest minute or second,while times in the ngpvan.7z are chopped off. Thus a file with a time of ending in 59.6 seconds would be rounded in one case, chopped in the other. One archive used a LZMA2:26 method, while the other used m3:22. The ngpvan.7z archive mentions Win32, not mentioned for cf.7z.

Conclusion and Question

It seems certain to me that the DonorsByMM_2.xlsx document in each archive originated in a single copy operation with metadata differences arising from later processing. The timezone of the cf.7z dossier has somehow been set one hour earlier than the time zone of the ngpvan.7z dossier, which Forensicator deduced as Eastern North America. This implies Central time zone. In addition, somewhat different techniques were used in the preparation of the two dossiers. I don’t know enough of the details of the copy operations to diagnose further and would welcome any ideas.

38 Comments

Steve, most intriguing. Makes me wish I understood all the technical details.
Forensicator puts the difference between UTC and local copy time at three hours or UTC -3. And incorrectly ascribed local time as Eastern time zone, it seems. The Eastern time zone is UTC -5 (or -4 for Daylight Savings). A UTC -3 time would correspond to Atlantic Time Zone during Daylight Savings. One hour earlier would be UTC -2, Saint Pierre Miquelon Daylight Savings. Now, isn’t that interesting?j

you misunderstood. You say “Forensicator puts the difference between UTC and local copy time at three hours”. Nope, he put the difference between document local copy time and Pacific time (his local time) as 3 hours, thus Eastern.

Yes, I misunderstood. Thanks for explaining. One internet source stipulated that some sites in Atlantic Time Zone, Canada, opted not to switch to Daylight Savings. These sites correspond to Eastern Daylight Savings time, UTC -4. I could not verify this, however.

I’ll be Sherlock Holmes. It seems Guccifer 2 is busy between 5 and 7 p.m. Eastern Time, after work and before dinner. Unlikely he is in Moscow. Possesses a laptop originally registered to the Us Government’s General Services Administration. Had access to DNC computers in 2011, and the Virginia Party branch computers in 2016. An employee of both organizations, or private IT technician for both. Or someone especially involved with fundraising for both. One hour time differences–possibly a glitchy Daylight Savings Time protocol in the laptop? Puerto Rico is Atlantic Time too–and no DST.

Could be someone who writes like this half-Canadian:

Today, I work with political campaigns, non-profits, and corporations throughout the United States and internationally, including Africa, Asia, the Caribbean, and Canada.

Additionally this self-identified “half-Canadian” (his words) lives or lived in the Washington DC area and has contributed at least one article about computer security to “The Hill Times–Canada’s Politics and Government Newsweekly.”

This half-Canadian also writes, “I help organizations move their target audiences to action by bridging the gap between strategy, messaging, and operations using data, analytics, and technology.” He calls himself a “half nerdy—half geeky kid from Toronto, Canada.”

I wouldn’t mention all this except for the information above about the upload from Canada. Which is interesting to say the least.

I’m posting here some new stuff from CNN. It’s about Manafort, but the timing is relevant. Monafort was tapped since 2014. The FBI didn’t find anything, it lapsed, but in August 2016 they got a new secret order. I wonder if it was based on the Guccifer 2’s “Russian whiskers” and the spying data whipped up by Christopher Steele:

“As Manafort took the reins as Trump campaign chairman in May, the FBI surveillance technicians were no longer listening. The fact he was part of the campaign didn’t play a role in the discontinued monitoring, sources told CNN. It was the lack of evidence relating to the Ukraine investigation that prompted the FBI to pull back.

“Manafort was ousted from the campaign in August. By then the FBI had noticed what counterintelligence agents thought was a series of odd connections between Trump associates and Russia. The CIA also had developed information, including from human intelligence sources, that they believed showed Russian President Vladimir Putin had ordered his intelligence services to conduct a broad operation to meddle with the US election, according to current and former US officials.

I’m guessing the 2016 search warrant request did not include this language: “This evidence was procured by a respected ex-spy of a foreign power hired by domestic political opponents of the presidential candidate Manafort previously worked for.”

You say “Atlantic Canada (and parts of South America) have a time zone one hour earlier than Eastern time.” But Atlantic Canada time is actually one hour later than Eastern Time, i.e. 5:00 PM Eastern is 6:00 PM Atlantic. Does that affect your conclusion?

Steve: I didn’t express myself clearly. Be that as it may, requires Atlantic Time ( 4 hours from Pacific), not Central to fit.

Steve, if I understand your question you are asking: considering the two G2 dossiers in 7z(zipped format) each were made of contents of a common ancestor, the original download of July 5, 2016, then why is the July 5 bearing time-stamps become out of sync by one hour? Because getting out of sync means there must be another way to manipulate the time-stamp, (intentionally or not). And the Forensicator’s article did not consider this possibility.

Have you considered to reach out the the Forensicator or his acknowledged sources? They are Elizabeth Vos at Disobedient Media who was the first to report on this analysis and Adam Carter who maintains the g-2.space web site. You can reach Elizabeth and Adam on Twitter.

I notice your in the postscript of this post the cf.7z file was possibly uploaded from an Atlantic time site. I don’t see how the upload site would affect the file metadata. The Forensicator says the stamp recreated by WinRAR sets the time to local time but the 7z keeps the time fixed in UTC absolute time. The file DonorsByMM_2.xls in the cf.7z version was created in 7z and thus is locked in UTC. Whereas the DonorsByMM_2.xls in ngpvan.7z had its time stamped recreated by WinRAR to emulate your local time.

Perhaps G2 got it out of sync by repackaging from 7z to RAR and back to 7z on a computer set to the central time zone. This would have made the date permanently an hour earlier. Steve, if the UTC zone is part of the metadata then I figure that WinRAR would be able to get the dates back in sync if you just pack and unpack DonorsByMM_2.xls in WinRAR.

The Nation has a good article for anyone wanting to read a good article covering the background story of the Forensicator and Adam Carter’s analysis and Veteran Intelligence Professionals for Sanity (VIPS).

My questions:

1) Why couldn’t the active intelligence community (IC) have looked at the files and come to the conclusion that the download speed was typical of USB 2.0 rather than internet? This seems pretty basic.

2) If G2 is a leaker rather than a hacker why doesn’t G2 ever reveal anything newsworthy other than his access?

3) If G2 is the source for WL why does WL have mostly the recent files and G2 releases the stale 5-year-old stuff? I would think if the leaker seeks the public eye he would want to release the juicy ones while letting WL serve as the comprehensive archive.

Steve, I noticed opening MM.xls and DonorsByMM_2.xls in cf.7z that this Excel file’s contents are very sensitive to the specific freshness date of the data yet there is no dates of any kind to let the user know the as of date. This is very unusual. Dates are important in snapshots of a campaign fundraising status. I don’t know what to make of it.

Also, I noticed that opening cf.7z with Express Zip or WinZip21 makes the MM.xls and DonorsByMM_2.xls time 5:52pm but when right clicking for properties in Express Zip the date is 6:52pm.

I’m dubious of USB argument on a couple of counts. VIPS pressed the leak assertion much more strongly than Forensicator or Adam Carter, both of whom resisted such a conclusion on the grounds of available evidence.

Forensicator initially was only trying to rule out hacking from Romania and didn’t frame the question as well as he might have. Better question is whether copy rates ruled out hack from Eastern US by high-speed internet? Not as clear.

Second, G2 handled his data multiple times. What if the data had already been exfiltrated prior to July 5 and G2 was simply moving data from one computer to another. My copy of Climategate emails has moved computers a couple of times, each time via external disk drive.

I’ve got more analysis on cf.7z which indicates to me that G2 had uploaded documents since at least late 2015. This suggests hack access, not USB.

I agree with you that placing G2’s data exfiltration date at July 5 makes no sense for such old files. It seems the various “modified dates” really were just the last time accessed (opened) in many cases. If that is the case that would be typical of a hacker/leaker browsing for their own treasure hunting at various times after possession of the hoard from an initial break in.

It seems with so many files the DNC should be able to nail down the likely time frames of exfiltration by creating a history snapshot profile of their data archive and seeing what matches G2.

Steve, what are the document names of the most recent DNC modified files (not just accessed)?

So G2 was in the computer approximately a month after Crowdstrike arrived. He said in an interview that he was expelled from the system around June 10-12 (when Crowdstrike changed passwords.) Hmm, this is a very relevant point to VIPS theory of thumbdrive download of ngpvan.7z that doesn’t seem to have been reconciled. G2 never claimed to be in the system as late as July 5 – so that would point to July 5 procedures being copies from one G2 location to another, rather than live exfiltration as required in the VIPS theory.

The absence of either documents or emails after early June is also consistent with no penetration after at least June 10-12.

I spot-checked documents in each directory, but didn’t try to figure out if I could automate retrieval of doc properties. I did figure out a way to automate retrieval of file properties in the directories in R and made csv files for both cf and ngpvan.

Are the Veteran Intelligence Professionals for Sanity (VIPS) a credible source of information? Do they claim to have useful contacts inside the intelligence community that can lend some credibility to their statements or the technical expertise to understand computer hacking? Or are they just a group that occasionally echoes themes in the media they happen to agree with. A link to all of their news releases is given below.

Like anything, YMMV. I think that their recent advocacy of thumb drive based on July 5 copy speeds for ngpvan.7z is wrong, because there is no evidence that the July 5 copy operation was an upload from DNC (as opposed to some internal operation by G2.) Indeed, evidence against. Other side is just as bad or worse, so no particular disgrace to be wrong on this.

However, it’s important for DNC “skeptics” to avoid errors, as they vaccinate against valid criticisms.

Manafort’s attorneys will surely obtain original FISA warrants of 2014. We will learn what sort of rationale
(lies?) was presented to FISA court by Comey FBI. Also Comey’s use of Steele memoranda to obtain 2nd FISA warrant. Lotsa goodies from this cornucopia. Implications that Trump Tower was “wiretapped”, despite denials. I wonder if Steele memoranda used to request FISA warrant on Trump? Turned down or no?

mpainter: “Manafort’s attorneys will surely obtain original FISA warrants of 2014. We will learn what sort of rationale (lies?) was presented to FISA court by Comey FBI. Also Comey’s use of Steele memoranda to obtain 2nd FISA warrant. Lotsa goodies from this cornucopia. Implications that Trump Tower was “wiretapped”, despite denials. I wonder if Steele memoranda used to request FISA warrant on Trump? Turned down or no?”

Can you help me substantiate some of these rumors? As best I can tell, The NYT and WP reported the FBI offered Steele $50,000 back in 2016 if he could provide confirmation of the information in his memo. Sen Grassley has asked the FBI and then Rosenstein to confirm or deny this information. As best I can tell, no official reply has been received.

What makes you think material from the Steele dossier was used in a FISA warranty?

Why can Manafort’s lawyers obtain the FISA warrants? FISA court is for counterintelligence investigations. They are not criminal investigations. If something is uncovered during the counterintelligence investigation, then it wold be sent to the criminal division.

That’s a point that I did not consider. But does the law actually deny Manafort access to the FISA application? That is FBI. Did not Carter Page succeed in obtaining his?
If the FISA application was illegal, what of the spying on the suspect? Illegal evidence. Lotsa legal questions here.

Also, the information was leaked, and now is public, so another twist.

I’ve slightly edited my exposition of Forensicator’s deduction of Eastern timezone, which I accepted but didn’t follow as well as I wanted operationally. New text follows:

His explanation is terse. To fully understand his point in operational terms, I adjusted my computer to UTC and took equivalent observations. A file outside the RAR folders (e.g. sf3.pdf), which was displayed as 15:46 Pacific, is displayed as 22:46 UTC, reflecting the 7 hour time difference. However, a files within the RAR folders (e.g. DonorsByMM.xlsx), which was displayed as 18:51 Pacific, is now displayed as 18:51 UTC. In other words, 7z doesn’t know the correct timezone of the RAR documents and incorrectly assumes they come from the timezone of the current user. The timezones only match using Eastern Daylight -0400.